Ensure that locked pages can't be unpublished.

Fixes #1615
2026-05-17 11:41:11 +00:00 · 2015-11-23 20:52:46 +00:00 · 2015-11-23 20:52:46 +00:00 · 88e477098f
commit 88e477098f
parent f4968de0f9
7 changed files with 29 additions and 6 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -9,6 +9,7 @@ Changelog
 * Added `.alt` attribute to image renditions
 * The default `src`, `width`, `height` and `alt` attributes can now be overridden by attributes passed to the `{% image %}` tag
 * Fix: HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Fix: Locked pages can no longer be unpublished (Alex Bridge)

 1.2 (12.11.2015)
 ~~~~~~~~~~~~~~~~
--- a/CONTRIBUTORS.rst
+++ b/CONTRIBUTORS.rst
@ -80,6 +80,7 @@ Contributors
 * Sergey Nikitin
 * John Draper
 * Rich Brennan
+* Alex Bridge


 Translators
--- a/docs/releases/1.3.rst
+++ b/docs/releases/1.3.rst
@ -24,6 +24,7 @@ Bug fixes
 ~~~~~~~~~

 * HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Locked pages can no longer be unpublished (Alex Bridge)


 Upgrade considerations
--- a/wagtail/tests/testapp/fixtures/test.json
+++ b/wagtail/tests/testapp/fixtures/test.json
@ -23,7 +23,7 @@
    "model": "wagtailcore.page",
    "fields": {
        "title": "Welcome to the Wagtail test site!",
-        "numchild": 5,
+        "numchild": 6,
        "show_in_menus": false,
        "live": true,
        "depth": 2,
@ -33,7 +33,6 @@
        "slug": "home"
    }
 },
-
 {
    "pk": 3,
    "model": "wagtailcore.page",
@ -379,7 +378,22 @@
        "cost": "free"
    }
 },
-
+{
+    "pk": 14,
+    "model": "wagtailcore.page",
+    "fields": {
+        "title": "My locked page",
+        "numchild": 0,
+        "show_in_menus": true,
+        "live": true,
+        "depth": 3,
+        "content_type": ["wagtailcore", "page"],
+        "path": "000100010006",
+        "url_path": "/home/my-locked-page/",
+        "slug": "my-locked-page",
+        "locked": true
+    }
+},
 {
    "pk": 1,
    "model": "wagtailcore.site",
--- a/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
+++ b/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
@ -1,5 +1,5 @@
 {% extends "wagtailadmin/base.html" %}
-{% load i18n %}
+{% load i18n wagtailadmin_tags %}
 {% block titletag %}{% blocktrans with title=page.title %}Delete {{ title }}{% endblocktrans %}{% endblock %}

 {% block content %}
@ -17,12 +17,13 @@
                {% endblocktrans %}
            {% endif %}
        </p>
-        {% if page.live %}
+        {% page_permissions page as page_perms %}
+        {% if page_perms.can_unpublish %}
            <p>{% trans "Alternatively you can unpublish the page. This removes the page from public view and you can edit or publish it again later." %}</p>
        {% endif %}
        <form action="{% url 'wagtailadmin_pages:delete' page.id %}" method="POST">
            {% csrf_token %}
-            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page.live %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
+            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page_perms.can_unpublish %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
        </form>
    </div>
 {% endblock %}
--- a/wagtail/wagtailcore/models.py
+++ b/wagtail/wagtailcore/models.py
@ -1352,6 +1352,8 @@ class PagePermissionTester(object):
            return False
        if (not self.page.live) or self.page_is_root:
            return False
+        if self.page.locked:
+            return False

        return self.user.is_superuser or ('publish' in self.permissions)

--- a/wagtail/wagtailcore/tests/test_page_permissions.py
+++ b/wagtail/wagtailcore/tests/test_page_permissions.py
@ -303,10 +303,13 @@ class TestPagePermission(TestCase):
    def test_lock_page_for_superuser(self):
        user = get_user_model().objects.get(username='superuser')
        christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
+        locked_page = Page.objects.get(url_path='/home/my-locked-page/')

        perms = UserPagePermissionsProxy(user).for_page(christmas_page)
+        locked_perms = UserPagePermissionsProxy(user).for_page(locked_page)

        self.assertTrue(perms.can_lock())
+        self.assertFalse(locked_perms.can_unpublish())  # locked pages can't be unpublished

    def test_lock_page_for_moderator(self):
        user = get_user_model().objects.get(username='eventmoderator')